Thanks for the links, Nick, very cool. I like your scheme. The secret-never-crosses-the-wire attribute sorta falls apart when it comes to JavaScript frontends, but it would still be a pretty good scheme even if the secret crosses the wire only once, over SSL.
Nice to see that Joyent is working on pushing a standardized scheme for this stuff. It'd be great if we hit a point where I can drop in some popular libraries for this sort of scheme and not worry about implementing any of the important security bits myself. On Mon, May 25, 2015, at 10:28 AM, Nick Zadrozny wrote: > Old thread, but it piqued my interest. Here's a pattern that I end up > using quite a bit in my internal admin APIs. Once you build it a few > times, it's not really any more work than basic auth, and it has very > nice security characteristics. > > http://git.io/vTNxj > > If I were going to build a public facing version of this, I'd borrow > heavily from Joyent's node-http-signature scheme: > https://github.com/joyent/node-http-signature/blob/master/http_signing.md > > > On Thu, Apr 23, 2015 at 1:42 PM, Ian Young > <[email protected]> wrote: >> __ >> I'm wondering if anyone has recommendations for gems for serving >> simple token-based authentication in Rails. You know, when you need >> to provide safe API access but you don't need the overhead of OAuth2. >> Just have the client send some credentials, get a token, use the >> token to make requests. >> >> Providing this in Rails is just complicated enough that I don't want >> to reinvent it myself, but there's a strange dearth of good solutions >> out there. There are a couple[1] simple ones[2] that are tightly >> coupled to Devise and don't do quite enough (for example, only one >> token per user), and there's this one[3] which does a bit too much, >> is still tightly coupled to Devise, and I'm liking less the more I >> use it. >> >> Am I missing any good ones? It's strange to see such a lack of >> activity around a very common need, and it makes me think that >> everyone is just shamefully reimplementing this anew for each >> project. >> >> >> >> -- >> -- >> SD Ruby mailing list >> [email protected] http://groups.google.com/group/sdruby >> --- >> You received this message because you are subscribed to the Google Groups "SD Ruby" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> Nick Zadrozny >> > > -- > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > --- > You received this message because you are subscribed to the Google Groups "SD Ruby" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. Links: 1. https://github.com/gonzalo-bulnes/simple_token_authentication 2. https://github.com/baschtl/devise-token_authenticatable 3. https://github.com/lynndylanhurley/devise_token_auth -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
